I’m working on an authentication proxy, and I’m getting an error when trying to use parameter expansion in my dls.
I’m using an image based off of amazon/opendistro-for-elasticsearch:1.12.0 for elasticsearch, and one based on amazon/opendistro-for-elasticsearch-kibana:1.12.0 for kibana.
In my kibana.yml I have
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization","x-forwarded-for","x-proxy-user","x-proxy-roles","x-proxy-ext-space-ids","x-proxy-ext-org-ids"]
opendistro_security.auth.type: "proxy"
opendistro_security.proxycache.user_header: "x-proxy-user"
opendistro_security.proxycache.roles_header: "x-proxy-roles"
and in my elasticsearch config.yml I have:
proxy_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: extended-proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
attr_header_prefix: "x-proxy-ext-"
authentication_backend:
type: noop
then in my roles.yml I have:
cf_user:
reserved: false
hidden: false
cluster_permissions:
- "read"
- "cluster:monitor/nodes/stats"
- "cluster:monitor/task/get"
index_permissions:
- index_patterns:
- "logs-app-*"
dls: "{\"bool\": {\"should\": [{\"terms\": { \"@cf.space_id\": [${attr.proxy.space-ids}] }}, {\"terms\": {\"@cf.org_id\": [${attr.proxy.org-ids}]}}]}}"
fls:
allowed_actions:
- "read"
tenant_permissions: []
static: false
When I try to load the Discover tab I get an error with a stack trace. I believe the important piece is here:
Caused by: com.fasterxml.jackson.core.JsonParseException: Unrecognized token '$': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: (String)"{"bool": {"should": [{"terms": { "@cf.space_id": [${attr.proxy.space_ids}] }}, {"terms": {"@cf.org_id": [${attr.proxy.org_ids}]}}]}}"; line: 1, column: 52]
Looking at the kibana logs, I can see that the x-proxy-ext-org-ids header and x-proxy-ext-space-ids headers are being set.
Am I missing some magic to make the parameter expansion work in dls?